Many companies had refined their IT disaster recovery programs prior to 9/11, but the attacks exposed a lack of attention to continuity of business operations.

In the aftermath of the terrorist attacks on Sept. 11, 2001, Dave Rudzinsky's first thoughts and concerns were for the people affected by the tragedies. As someone who plays a critical role in his own employer's disaster readiness, he also found himself trying to comprehend the corporate devastation.

"I started thinking, what about all those businesses?" recalls Rudzinsky, CIO at Hologic, a $1.7 billion medical device company based in Bedford, Mass.

Many companies had refined their IT disaster recovery programs prior to 9/11, but the attacks exposed a lack of attention to continuity of business operations, says Roberta Witty, research vice president at Gartner.

"What happens when you lose your workforce? What if you don't have a building to go to anymore? How do you get in touch with your employees? How do you keep track of injured people? How do you shift work from one location to another?" Witty says. "Companies realized that all they had was an IT disaster recovery program. They had to focus on the business side of house, to a great extent."

The 9/11 attacks showed the world that the worst possible scenario can actually happen, says Bill Swislow, CIO and senior vice president at Cars.com in Chicago. "We understood what that kind of event could do, that it could shut down the downtown of a city for days at a time."

Since 9/11, Cars.com has focused more attention on disaster recovery and continuity of operations. It now has access to a remote office site in the event that its downtown Chicago headquarters is inaccessible, for instance. "We've thought much more about loss of physical access, and we have a plan that tries to address the situation if there's no central office for people to go to," Swislow says.

Among the changes Hologic made following 9/11 was to move key applications including its ERP systems to a hosted data center facility. The data center provider has more expertise implementing state-of-the-art disaster recovery plans and technologies, Rudzinsky says. "We're in the medical device business, not the data center business."

Hologic also has enabled more of its workforce to telework in the event of an emergency. "We certainly need manufacturing and operations people to get to the factories, but a lot of the other business functions are enabled now to work from just about anywhere," Rudzinsky says.

Before 9/11, Hologic's disaster recovery preparations were about satisfying corporate auditors. Now it's a more strategic priority, not only for IT but also for the company's top executives.

"As a small startup, we were more risk tolerant. As we've become a larger, public company, we're a lot less risk tolerant," Rudzinsky says. "On our IT agenda and our business agenda every year, IT risk and security keeps climbing."

Rethinking IT priorities

The attacks wound up giving some IT teams the support they needed to put longtime plans into action. For Brandeis University, that meant going ahead with plans to build a redundant data center.

"We talked about it, we planned for it, but it never really got beyond the planning stages. It's something that really got pushed to the back burner," says John Turner, director of networks and systems at Brandeis in Waltham, Mass. "I think that 9/11 had a direct impact on the overall funding decision to go ahead and build out a second data center."

New and expanded legislation passed post-9/11 also impacted Brandeis. As part of the Patriot Act, colleges and universities hosting international students are required to use the Student Exchange and Visitors Information System (SEVIS), a digitized system for tracking information regarding exchange visitors, international students and scholars.

Homeland security efforts also expanded the impact of the 1994 Communications Assistance for Law Enforcement Act (CALEA), or digital wiretap law; colleges and universities that essentially act as ISPs to the student populations can be required to allow surveillance access to their networks.

IT teams at Brandeis have had to equip the school's ERP systems to collect and monitor SEVIS data, for instance, and security groups have been trained to respond to court-ordered wiretaps and data preservation requests. "The Patriot Act had a big impact on what we do and how we operate," Turner says.

The mass shooting on the campus of Virginia Tech also had a big impact on Brandeis; the 2007 tragedy forced the entire education industry to reconsider and strengthen their ability to communicate with students, faculty and staff in the event of an emergency.

Brandeis bolstered its emergency communications systems to allow the university to notify students, faculty and staff about crisis situations on campus through a number of different media, including campus email and voicemail; voice and text message sent to students' personal cellphones; broadcast messages to phones located in offices, classrooms and public gathering places; and students' personal email accounts.

"After Virginia Tech, the main concern was to evaluate our ability to message the community in a crisis situation," Turner says.

Private industry, too, is paying greater attention to emergency communications, Gartner's Witty says, with hosted offerings enabling businesses to share essential information before, during and after a crisis. "They're using it to communicate the company's recovery operations and to inform the workforce, customers and partners about the impact of an emergency and how the company is responding," Witty says.

Laying the groundwork

In Washington, D.C., one of the most tangible technology deployments completed in the wake of 9/11 is the city's municipal fiber network, called DC-Net.

"From the moment I walked in the door in January of 2003, it was all about, 'Let's make sure we have citywide services and those citywide services must be able to sustain various levels of disaster,'" recalls Rob Mancini, who today is CTO in the District of Columbia's Office of the Chief Technology Officer (OCTO). "The existence of the basic infrastructure, the city-owned government network on high-speed fiber, is the beginning of getting our arms around a 9/11-type of issue."

DC-Net provides voice, data, video and wireless services for 347 District government sites including 120 schools, 35 recreation centers and 20 libraries. DC-Net also supports the District's 911 call center and its police, fire, emergency medical and emergency management services. For the public, DC-Net provides backhaul for more than 250 free wireless hotspots throughout the city.

Those wireless hotspots proved to be an important asset when a 5.8 magnitude earthquake occurred in Virginia last month and cellphone networks were jammed by a flood of calls.

"When the earthquake hit, we had a few thousand people jumping on [the Wi-Fi network on the National Mall] to let their families know they were OK. We didn't have that 10 years ago, and we continue to build on that," says Mancini.

The terrorist attacks were a turning point, and the operational vulnerabilities that were exposed after 9/11 continue to be tested by events worldwide, such as hurricanes, earthquakes, volcanic ash incidents, flu pandemics and campus violence, Gartner's Witty says.

IT pros agree.

"Everything from that day forward has prepared us to handle a crisis situation as part of normal operating procedures. We prepare further in advance for these situations, and we have good methodologies in place now. A decade ago it wasn't that way," Brandeis' Turner says.